search

gradle / gradle-build-action

Execute your Gradle build and trigger dependency submission
https://github.com/marketplace/actions/gradle-build-action
MIT License
671 stars 97 forks source link

Upgrade `semver` npm package. #829

Closed yogurtearl closed 1 year ago

yogurtearl commented 1 year ago

The version of semver in use has reported vulns ( https://nvd.nist.gov/vuln/detail/CVE-2022-25883 ) : https://github.com/gradle/gradle-build-action/blob/a4cf152f482c7ca97ef56ead29bf08bcd953284c/package-lock.json#L397

See https://github.com/advisories/GHSA-c2qf-rxjj-qqgw

Upgrade to version with no vulns:

https://security.snyk.io/package/npm/semver

yogurtearl commented 1 year ago

In general, do you have dependabot alerts turned on in this repo?

anything that dependabot flags, also, causes issues for us. :) So issuing timely patches for all the dependabot alerts would help us a lot. :)

bigdaz commented 1 year ago

Yes we have dependabot alerts enabled, and the Semver update PR was merged last month: https://github.com/gradle/gradle-build-action/commit/ce999babab2de1c4b649dc15f0ee67e6246c994f

The fix is available in v2.7.0

bigdaz commented 1 year ago

I can still see the ^6.3.0 in package-lock.json, but it appears that the version actually used by NPM is the patched version.

bigdaz commented 1 year ago

I presume that you cannot see the actual security alert in this repository, but here's how it has been resolved:

image
yogurtearl commented 1 year ago

ah, yeah, ok, I can see it here 👇 . Thanks.

https://github.com/gradle/gradle-build-action/blob/v2.7.0/package-lock.json#L13167-L13171

Thanks for screenshot that helps. (I can't see the dependabot alerts)